CVE-2025-43989

low-risk

Published 2025-08-13

The /goform/formJsonAjaxReq POST endpoint of Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices mishandles the set_timesetting action with the ntpserver0 parameter, which is used in a system command. By setting a username=admin cookie (bypassing normal session checks), an unauthenticated attacker can use that parameter to execute arbitrary OS commands.

Do I need to act?

0.26% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / HIGH complexity

References (4)

https://drive.proton.me/urls/H7J1DPNA00#XrmRLENzyZAp

https://drive.proton.me/urls/QDVK6E2SBR#8LlpbHWzHdmr

https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2025-43989.txt

https://github.com/actuator/cve/tree/main/Tuoshi

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal